CODEWITHSUNDEEP
c#azureazure-ad-b2c
Slicc
Slicc

Reputation: 3435

Trying to update user on Azure B2C gives me an "Insufficient Privileges" error

I am using B2C and MS Graph API to create new users in B2C, however when I try and update a user, using the update command below:

                    await _graphClient.Users[b2cUser.Id]
                    .Request()
                    .UpdateAsync(CreateGraphUserForUpdateCreate(extensionInstance, user));

I get the error:

    Microsoft.Graph.ServiceException: 'Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
Inner error:
    AdditionalData:
    request-id: 6494a468-e7e2-41ed-a39c-527715656737
    date: 2020-04-23T11:14:13

I have given my App Directory.Read.All and Directory.ReadWrite.All API permissions.

Is there another permission I need to set?

UPDATE The code to create the authProvider is as below (without a user approach):

    // Initialize the client credential auth provider
    IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
        .Create(config.AppId)
        .WithTenantId(config.Tenant)
        .WithClientSecret(config.ClientSecret)
        .Build();

    ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);

    // Set up the Microsoft Graph service client with client credentials
    _graphClient = new GraphServiceClient(authProvider);

And screen shot of permissions:

enter image description here

Upvotes: 0

Views: 883

Answers (1)

Allen Wu
Allen Wu

Reputation: 16438

Based on Update user Permissions:

If you implement Get access on behalf of a user, you should add one of the Delegated permissions: 

User.ReadWrite, User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All, Directory.AccessAsUser.All

enter image description here

And you should use Authorization code provider to get the authProvider.

If you implement Get access without a user, you should add one of the Application permissions: 

User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All

enter image description here

And you should use Client credentials provider to get the authProvider.

Please note that after you add the permissions in Azure AD app, don't forget to click on "Grant admin consent for {your tenant}".

enter image description here

Update:

You are trying to update the password. When updating the passwordProfile property, the following permission is required: Directory.AccessAsUser.All, which you haven't added into your Azure AD app. That's why this error occurs. See details here.

Upvotes: 2

Related Questions